powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

NetworkManager package update 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 2018-11-27 14:18:06 +01:00
parent 5fcd515e5b
commit 96063fbf48
3 changed files with 576 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

506
SOURCES/0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch Normal file
View File

@ -0,0 +1,506 @@
From 0d4220fa98fbbd8aa0944a6ed87122b579716ff5 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 10 Sep 2018 15:22:28 +0200
Subject: [PATCH 1/9] systemd/dhcp: fix assertion starting DHCP client without
MAC address

An assertion in dhcp_network_bind_raw_socket() is triggered when
starting an sd_dhcp_client without setting setting a MAC address
first.

- sd_dhcp_client_start()
- client_start()
- client_start_delayed()
- dhcp_network_bind_raw_socket()

In that case, the arp-type and MAC address is still unset. Note that
dhcp_network_bind_raw_socket() already checks for a valid arp-type
and MAC address below, so we should just gracefully return -EINVAL.

Maybe sd_dhcp_client_start() should fail earlier when starting without
MAC address. But the failure here will be correctly propagated and
the start aborted.

See-also: https://github.com/systemd/systemd/pull/10054
(cherry picked from commit 34af574d5810ab2b0d6d354cbc28135cde4a55b1)
(cherry picked from commit 0a797bdc2a592385a21e7ed918c08ef54a346d99)
(cherry picked from commit f37ed84ca495ee212b1e82b9c5a5682c4acfebcd)
---
src/systemd/src/libsystemd-network/dhcp-network.c | 2 --
1 file changed, 2 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp-network.c b/src/systemd/src/libsystemd-network/dhcp-network.c
index 90fe29d04..80e9577cd 100644
--- a/src/systemd/src/libsystemd-network/dhcp-network.c
+++ b/src/systemd/src/libsystemd-network/dhcp-network.c
@@ -128,8 +128,6 @@ int dhcp_network_bind_raw_socket(int ifindex, union sockaddr_union *link,
const uint8_t *bcast_addr = NULL;
uint8_t dhcp_hlen = 0;
- assert_return(mac_addr_len > 0, -EINVAL);
-
if (arp_type == ARPHRD_ETHER) {
assert_return(mac_addr_len == ETH_ALEN, -EINVAL);
memcpy(&eth_mac, mac_addr, ETH_ALEN);
--
2.17.1


From ee92f8164c0ecee86cec104240f0bbe155901891 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 30 Sep 2018 20:23:58 +0900
Subject: [PATCH 2/9] dhcp6: check option length before reading values

Fixes oss-fuzz#10746
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10746.

https://github.com/systemd/systemd/pull/10213
https://github.com/systemd/systemd/commit/84452783b8bcc44e0dbb7fa6ddc6dad8c064bdfe
(cherry picked from commit 484e92e17f93aa9658944dc886d420ef32bc625e)
(cherry picked from commit 0cec1cb93edd2efa6bee8e2ec1000d94a86ec61e)
(cherry picked from commit 8b8b248679ee17b5c8e68fb8e8e6f6cd3ec32f03)
---
src/systemd/src/libsystemd-network/dhcp6-internal.h | 2 +-
src/systemd/src/libsystemd-network/dhcp6-option.c | 11 ++++++-----
src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 2 +-
3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-internal.h b/src/systemd/src/libsystemd-network/dhcp6-internal.h
index f1cbd6a4f..06e2e5324 100644
--- a/src/systemd/src/libsystemd-network/dhcp6-internal.h
+++ b/src/systemd/src/libsystemd-network/dhcp6-internal.h
@@ -91,7 +91,7 @@ int dhcp6_option_append_pd(uint8_t *buf, size_t len, DHCP6IA *pd);
int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn);
int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode,
size_t *optlen, uint8_t **optvalue);
-int dhcp6_option_parse_status(DHCP6Option *option);
+int dhcp6_option_parse_status(DHCP6Option *option, size_t len);
int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia);
int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen,
struct in6_addr **addrs, size_t count,
diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
index a8a56463a..e462b7083 100644
--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
@@ -249,10 +249,11 @@ int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode,
return 0;
}
-int dhcp6_option_parse_status(DHCP6Option *option) {
+int dhcp6_option_parse_status(DHCP6Option *option, size_t len) {
DHCP6StatusOption *statusopt = (DHCP6StatusOption *)option;
- if (be16toh(option->len) + sizeof(DHCP6Option) < sizeof(*statusopt))
+ if (len < sizeof(DHCP6StatusOption) ||
+ be16toh(option->len) + sizeof(DHCP6Option) < sizeof(DHCP6StatusOption))
return -ENOBUFS;
return be16toh(statusopt->status);
@@ -279,7 +280,7 @@ static int dhcp6_option_parse_address(DHCP6Option *option, DHCP6IA *ia,
}
if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*addr_option)) {
- r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options);
+ r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*addr_option));
if (r != 0)
return r < 0 ? r: 0;
}
@@ -319,7 +320,7 @@ static int dhcp6_option_parse_pdprefix(DHCP6Option *option, DHCP6IA *ia,
}
if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*pdprefix_option)) {
- r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options);
+ r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*pdprefix_option));
if (r != 0)
return r < 0 ? r: 0;
}
@@ -464,7 +465,7 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
case SD_DHCP6_OPTION_STATUS_CODE:
- status = dhcp6_option_parse_status(option);
+ status = dhcp6_option_parse_status(option, optlen);
if (status) {
log_dhcp6_client(client, "IA status %d",
status);
diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
index ca03f580e..b82e3f45f 100644
--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
@@ -828,7 +828,7 @@ static int client_parse_message(
break;
case SD_DHCP6_OPTION_STATUS_CODE:
- status = dhcp6_option_parse_status(option);
+ status = dhcp6_option_parse_status(option, optlen);
if (status) {
log_dhcp6_client(client, "%s Status %s",
dhcp6_message_type_to_string(message->type),
--
2.17.1


From a944785f244e92094eb4379cf12e76f5205037d3 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sat, 29 Sep 2018 03:06:10 +0000
Subject: [PATCH 3/9] dhcp6: fix an off-by-one error in
dhcp6_option_parse_domainname

==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200055fa9c at pc 0x0000005458f1 bp 0x7ffc78940d90 sp 0x7ffc78940d88
READ of size 1 at 0x60200055fa9c thread T0
#0 0x5458f0 in dhcp6_option_parse_domainname /work/build/../../src/systemd/src/libsystemd-network/dhcp6-option.c:555:29
#1 0x54706e in dhcp6_lease_set_domains /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-lease.c:242:13
#2 0x53fce0 in client_parse_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:984:29
#3 0x53f3bc in client_receive_advertise /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1083:13
#4 0x53d57f in client_receive_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1182:21
#5 0x7f0f7159deee in source_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3042:21
#6 0x7f0f7159d431 in sd_event_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3455:21
#7 0x7f0f7159ea8d in sd_event_run /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3512:21
#8 0x531f2b in fuzz_client /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:44:9
#9 0x531bc1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:53:9
#10 0x57bec8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#11 0x579d67 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3
#12 0x57dc92 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19
#13 0x580ca6 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5
#14 0x55e968 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6
#15 0x551a1c in main /src/libfuzzer/FuzzerMain.cpp:20:10
#16 0x7f0f701a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#17 0x41e928 in _start (/out/fuzz-dhcp6-client+0x41e928)

https://github.com/systemd/systemd/pull/10200
https://github.com/systemd/systemd/commit/b387d3c1327a3ad2a2509bd3d3491e674392ff21
(cherry picked from commit 7cb7cffc4962245a32e87017bcf264005c043250)
(cherry picked from commit cd3aacefdd0b91741b7b2e7b5ee5baab210addd9)
(cherry picked from commit 5b140a77bc7b01dc002dbf28a7a2507a27a63d7c)
---
src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
index e462b7083..ff1cbf13d 100644
--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
@@ -566,7 +566,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
/* Literal label */
label = (const char *)&optval[pos];
pos += c;
- if (pos > optlen)
+ if (pos >= optlen)
return -EMSGSIZE;
if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) {
--
2.17.1


From fc04015063d44a61b85bdf2c2648d9ac9fb4a446 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 27 Sep 2018 18:04:59 +0900
Subject: [PATCH 4/9] sd-dhcp-lease: fix memleaks

(cherry picked from commit e2975f854831d08a25b4f5eb329b6d04102e115f)
(cherry picked from commit 157094abd83f933fad142758a7d177cfa1a347f7)
(cherry picked from commit 3fd9d11619a5e60d375076fbe13851dd1d3a4a63)
---
src/systemd/src/libsystemd-network/sd-dhcp-lease.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/src/systemd/src/libsystemd-network/sd-dhcp-lease.c b/src/systemd/src/libsystemd-network/sd-dhcp-lease.c
index 33a0796a8..841d07926 100644
--- a/src/systemd/src/libsystemd-network/sd-dhcp-lease.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp-lease.c
@@ -279,6 +279,8 @@ sd_dhcp_lease *sd_dhcp_lease_unref(sd_dhcp_lease *lease) {
free(option);
}
+ free(lease->root_path);
+ free(lease->timezone);
free(lease->hostname);
free(lease->domainname);
free(lease->dns);
--
2.17.1


From ae56f71f5bd4233f335ec4c2a5172b59be3d80ca Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 27 Sep 2018 23:48:51 +0900
Subject: [PATCH 5/9] dhcp6: fix buffer size checking

(cherry picked from commit cb1bdeaf56852275e6b0dd1fba932bb174767f70)
(cherry picked from commit 91fb1673d5217aaf1461998fd2675630f5c265f9)
(cherry picked from commit 15a3c6c692ee0125d4673df42ef8986e9e3d69c7)
---
src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
index b82e3f45f..b65c31171 100644
--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
@@ -776,8 +776,8 @@ static int client_parse_message(
uint8_t *optval;
be32_t iaid_lease;
- if (len < offsetof(DHCP6Option, data) ||
- len < offsetof(DHCP6Option, data) + be16toh(option->len))
+ if (len < pos + offsetof(DHCP6Option, data) ||
+ len < pos + offsetof(DHCP6Option, data) + be16toh(option->len))
return -ENOBUFS;
optcode = be16toh(option->code);
--
2.17.1


From 9babde953073b460d8bcda13329c60a0a74cdc3c Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 19 Oct 2018 03:44:56 +0900
Subject: [PATCH 6/9] sd-dhcp6: fix argument and error handling of
dhcp6_option_parse_status()

(cherry picked from commit 91c43f3978fa7c8341550b9ca279e460ba7e74e6)
(cherry picked from commit 373cbfc8c6e9591b3c8cc12d58c4b31ac35ab24f)
(cherry picked from commit 0e93fd895daa6f0f578ffa8fc4ed3e0ea85c62e8)
(cherry picked from commit 6ea13fc82523bebaa08cf2ab8404e751a654261f)
---
src/systemd/src/libsystemd-network/dhcp6-option.c | 10 ++++++----
src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 9 +++++----
2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
index ff1cbf13d..cfddefcb5 100644
--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
@@ -465,13 +465,15 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
case SD_DHCP6_OPTION_STATUS_CODE:
- status = dhcp6_option_parse_status(option, optlen);
- if (status) {
+ status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));
+ if (status < 0) {
+ r = status;
+ goto error;
+ }
+ if (status > 0) {
log_dhcp6_client(client, "IA status %d",
status);
- dhcp6_lease_free_ia(ia);
-
r = -EINVAL;
goto error;
}
diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
index b65c31171..15c4f445f 100644
--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
@@ -828,13 +828,14 @@ static int client_parse_message(
break;
case SD_DHCP6_OPTION_STATUS_CODE:
- status = dhcp6_option_parse_status(option, optlen);
- if (status) {
+ status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));
+ if (status < 0)
+ return status;
+
+ if (status > 0) {
log_dhcp6_client(client, "%s Status %s",
dhcp6_message_type_to_string(message->type),
dhcp6_message_status_to_string(status));
- dhcp6_lease_free_ia(&lease->ia);
- dhcp6_lease_free_ia(&lease->pd);
return -EINVAL;
}
--
2.17.1


From 19b82104da425efdb9ad0207ccabf5a1a091b81a Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 19 Oct 2018 03:42:10 +0900
Subject: [PATCH 7/9] sd-dhcp6: make dhcp6_option_parse_domainname() not store
empty domain

This improves performance of fuzzer.
C.f. oss-fuzz#11019.

(cherry picked from commit 3c72b6ed4252e7ff5f7704bfe44557ec197b47fa)
(cherry picked from commit 50403cccee28c7dcd54b138a0d3b3f69ea0204fe)
(cherry picked from commit f11f5abb1a8b96b553d2d156f8b5cf440695c04d)
(cherry picked from commit c836279fca80fb22ca7ef02acaa5b987fee61123)
---
.../src/libsystemd-network/dhcp6-option.c | 66 ++++++++-----------
1 file changed, 29 insertions(+), 37 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
index cfddefcb5..be5c22237 100644
--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
@@ -555,6 +555,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
bool first = true;
for (;;) {
+ const char *label;
uint8_t c;
c = optval[pos++];
@@ -562,47 +563,41 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
if (c == 0)
/* End of name */
break;
- else if (c <= 63) {
- const char *label;
-
- /* Literal label */
- label = (const char *)&optval[pos];
- pos += c;
- if (pos >= optlen)
- return -EMSGSIZE;
-
- if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) {
- r = -ENOMEM;
- goto fail;
- }
-
- if (first)
- first = false;
- else
- ret[n++] = '.';
-
- r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);
- if (r < 0)
- goto fail;
-
- n += r;
- continue;
- } else {
- r = -EBADMSG;
- goto fail;
- }
- }
+ if (c > 63)
+ return -EBADMSG;
+
+ /* Literal label */
+ label = (const char *)&optval[pos];
+ pos += c;
+ if (pos >= optlen)
+ return -EMSGSIZE;
+
+ if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX))
+ return -ENOMEM;
+
+ if (first)
+ first = false;
+ else
+ ret[n++] = '.';
+
+ r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);
+ if (r < 0)
+ return r;
- if (!GREEDY_REALLOC(ret, allocated, n + 1)) {
- r = -ENOMEM;
- goto fail;
+ n += r;
}
+ if (n == 0)
+ continue;
+
+ if (!GREEDY_REALLOC(ret, allocated, n + 1))
+ return -ENOMEM;
+
ret[n] = 0;
r = strv_extend(&names, ret);
if (r < 0)
- goto fail;
+ return r;
idx++;
}
@@ -610,7 +605,4 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
*str_arr = TAKE_PTR(names);
return idx;
-
-fail:
- return r;
}
--
2.17.1


From 7dd0b1ae8cc44a6e3c91dc921a278f939d045f0d Mon Sep 17 00:00:00 2001
From: Li Song <song.li@honeywell.com>
Date: Fri, 19 Oct 2018 13:41:51 -0400
Subject: [PATCH 8/9] sd-dhcp: remove unreachable route after rebinding return
NAK

(cherry picked from commit cc3981b1272b9ce37e7d734a7b2f42e84acac535)
(cherry picked from commit 915c2f675a23b2ae16d292d1ac570706f76b384d)
(cherry picked from commit cb77290a696dce924e2a993690634986ac035490)
(cherry picked from commit f211b140a5861ddedc2424946e3ab07d3b642b5f)
---
src/systemd/src/libsystemd-network/sd-dhcp-client.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/src/systemd/src/libsystemd-network/sd-dhcp-client.c b/src/systemd/src/libsystemd-network/sd-dhcp-client.c
index c2f81e1c4..c28025410 100644
--- a/src/systemd/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp-client.c
@@ -1649,6 +1649,8 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
client->timeout_resend =
sd_event_source_unref(client->timeout_resend);
+ client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED);
+
r = client_initialize(client);
if (r < 0)
goto error;
--
2.17.1


From 5a89e393279e8d0c8c2943b4cce99b91c5ebe903 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 19 Oct 2018 12:12:33 +0200
Subject: [PATCH 9/9] dhcp6: make sure we have enough space for the DHCP6
option header

Fixes a vulnerability originally discovered by Felix Wilhelm from
Google.

CVE-2018-15688
LP: #1795921
https://bugzilla.redhat.com/show_bug.cgi?id=1639067

(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)
(cherry picked from commit 01ca2053bbea09f35b958c8cc7631e15469acb79)
(cherry picked from commit fc230dca139142f409d7bac99dbfabe9b004e2fb)
(cherry picked from commit cc1e5a7f5731f223d1eb8473fa0eecbedfc0ae5f)
---
src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
index be5c22237..22970443d 100644
--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
@@ -105,7 +105,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
return -EINVAL;
}
- if (*buflen < len)
+ if (*buflen < offsetof(DHCP6Option, data) + len)
return -ENOBUFS;
ia_hdr = *buf;
--
2.17.1

58
SOURCES/1003-manager-accept-non-null-device-for-VPN-activations-rh1641174.patch Normal file
View File

@ -0,0 +1,58 @@
From 7b6c55fb10c8f500a79075a66d6f5387199392be Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Fri, 6 Jul 2018 15:54:16 +0200
Subject: [PATCH] manager: accept non-null device for VPN activations

Commit 10753c36168a ("manager: merge VPN handling into
_new_active_connection()") added a check to fail the activation of
VPNs when a device is passed to ActivateConnection(), since the device
argument is ignored for VPNs.

This broke activating VPNs from nm-applet as nm-applet sets both the
specific_object (parent-connection) and device arguments in the
activation request.

Note that we already check in _new_active_connection() that when a
device is supplied, it matches the device of the parent
connection. Therefore, the check can be dropped.

Reported-by: Michael Biebl <biebl@debian.org>
Fixes: 10753c36168a82cd658df8a7da800960fddd78ed

https://github.com/NetworkManager/NetworkManager/pull/159
(cherry picked from commit e205664ba8c25939f1678d1b078a67989c180046)
(cherry picked from commit 9748aef7c7982ad1fe377ab6fc64255fcdb52762)
---
src/nm-manager.c | 16 +---------------
1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/src/nm-manager.c b/src/nm-manager.c
index 0fea13de6..289dcf838 100644
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@@ -4611,21 +4611,7 @@ validate_activation_request (NMManager *self,
}
}
- if (is_vpn && device) {
- /* VPN's are treated specially. Maybe the should accept a device as well,
- * however, later on during activation, we don't handle the device.
- *
- * Maybe we should, and maybe it makes sense to specify a device
- * when activating a VPN. But for now, just error out. */
- g_set_error_literal (error,
- NM_MANAGER_ERROR,
- NM_MANAGER_ERROR_UNKNOWN_DEVICE,
- "Cannot specify device when activating VPN");
- return NULL;
- }
-
- nm_assert ( ( is_vpn && !device)
- || (!is_vpn && NM_IS_DEVICE (device)));
+ nm_assert (is_vpn || NM_IS_DEVICE (device));
*out_device = device;
*out_is_vpn = is_vpn;
--
2.17.1

13
SPECS/NetworkManager.spec
View File

@ -10,7 +10,7 @@
%global epoch_version 1
%global rpm_version 1.12.0
%global real_version 1.12.0
%global release_version 6
%global release_version 8
%global snapshot %{nil}
%global git_sha %{nil}

@ -124,10 +124,12 @@ Patch5: 0005-ibft-cap-sys-admin-rh1371201.patch
Patch6: 0006-support-aes256-private-keys-rh1623798.patch
Patch7: 0007-core-fix-wireless-bitrate-property-name-on-D-Bus-rh1626391.patch
Patch8: 0008-dns-dnsmsaq-avoid-crash-no-rev-domains-rh1628576.patch
Patch9: 0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch

Patch1000: 1000-cli-remove-assertion-in-nmc_device_state_to_color.patch
Patch1001: 1001-translations-rh1569438.patch
Patch1002: 1002-cli-fix-reading-vpn.secrets.-from-passwd-file.patch
Patch1003: 1003-manager-accept-non-null-device-for-VPN-activations-rh1641174.patch

# The pregenerated docs contain default values and paths that depend
# on the configure options when creating the source tarball.
@ -320,7 +322,9 @@ devices.
Summary: Open vSwitch device plugin for NetworkManager
Group: System Environment/Base
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%if 0%{?rhel} == 0
Requires: openvswitch
%endif

%description ovs
This package contains NetworkManager support for Open vSwitch bridges.
@ -886,6 +890,13 @@ fi


%changelog
* Fri Nov 2 2018 Thomas Haller <thaller@redhat.com> - 1:1.12.0-8
- dhcp: fix out-of-bounds heap write for DHCPv6 with internal plugin (CVE-2018-15688)

* Mon Oct 22 2018 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.0-7
- manager: accept non-null device for VPN activations (rh #1641174)
- drop dependency of NetworkManager-ovs on openvswitch (rh #1633190)

* Sat Sep 15 2018 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.0-6
- dns: dnsmasq: avoid crash when no reverse domains exist (rh #1628576)
- initscripts: fix ownership of ifup/ifdown executables (rh #1626517)